Friday, June 24, 2011

Inline file types under SharePoint 2010 WITHOUT security downgrade

So you got your site migrated to 2010 and were crazy enough to include Flash and PDF content. Have your testers tried clicking on links to those files yet? Or worse, looked at a page with embedded objects that link to those file types? If so, you have probably discovered that those files are on the SharePoint 2010 naughty list and are no longer served as inline content. While I suspect that this may be a subtle form of revenge from MS directed at Adobe (cannot help but like this), it would be way better if there was some way we could control it…

If you Google this issue, many people proudly report (in their blogs) the solution to be changing the Browser File Handling mode from ‘Strict’ to ‘Permissive’ for the web application:

Browser File Handling
You can specify whether additional security headers are added to documents that are served to Web browsers. These security headers specify that a browser shows a download prompt for certain types of files (for example, .html), and to use the server's specified Multipurpose Internet Mail Extensions (MIME) type for other types of files.
The Permissive setting specifies that no headers are added. The Strict setting adds headers that force the browser to download certain types of files. The forced download improves security for the server by disallowing the automatic execution of Web content. By default, the setting is Strict.


Am I the only one who has a problem with downgrading a SharePoint security setting like this? Apparently so.

To resolve this, here is what I did so that an application may server PDF and Flash (and any other specific content) inline while remaining in strict mode for all other content currently on the ‘no inline’ list:

1. Create a Feature that deploys a new HttpModule in IIS. Say what you want about how they inspect every request, do it right and the impact is almost undetectable.

2. Within that HttpModule, check the current requested file’s extension.

3. Using a custom configuration section, allow a set of ‘handled’ extensions to be defined, along with a set of HTTP headers to be removed.

4. Deploy your solution and add in sections to remove the X-Download-Options, X-Content-Type-Options, Content-Disposition headers from FLV, PDF, and SWF files

Simple. Here is an example of what one of our config files looks like to allow PDF, SWF, and FLV files to be served inline:

<add extension="pdf" removedHeaders="X-Download-Options;X-Content-Type-Options;Content-Disposition" />
<add extension="swf" removedHeaders="X-Download-Options;X-Content-Type-Options;Content-Disposition" />
<add extension="flv" removedHeaders="X-Download-Options;X-Content-Type-Options;Content-Disposition" />

As you might be able to tell, the solution also allows you to add headers to a specific file type, which would let you add to SharePoint’s inline naughty list if you should some day have a need for it.

If you are reading this and say to yourself ‘Hmmm – this sounds useful, sure wish I had the code for it…’ then you are in luck – just leave a comment and the code shall be posted!! Otherwise, I ain’t going to bother with it – already bothered enough firing up Live Writer to post this post.

[Update!] I finally got around to posting the files! They are at the bottom if this post here.

© I caught you a delicious bass.
Back to top